Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend offset feature to account for architecture/bitness #210

Closed
williballenthin opened this issue Jul 28, 2020 · 2 comments · Fixed by #216
Closed

extend offset feature to account for architecture/bitness #210

williballenthin opened this issue Jul 28, 2020 · 2 comments · Fixed by #216
Labels
enhancement New feature or request
Milestone
v1.1.0

Comments

@williballenthin
Copy link
Collaborator

williballenthin commented Jul 28, 2020
edited

on different architectures (specifically x32 vs x64) the sizes and layouts of structures will differ. right now, capa doesn't have an easy way to limit its offset features based on the architecture, which means there's a greater chance of FP binaries of the wrong bitness. we should consider extending the offset features with tags specifying what bitnesses they match.

initially motivated here: mandiant/capa-rules#54 (comment)

best sketch so far:

- or:
  - offset/x32: 0x24 = pe.szExeFile
  - offset/x64: 0x?? = pe.szExeFile

this would be an easy add, since we could just emit an additional feature for each offset that's tagged with the bitness.
@williballenthin williballenthin added the enhancement New feature or request label Jul 28, 2020
@williballenthin williballenthin mentioned this issue Jul 28, 2020
Merged
@williballenthin
Copy link
Collaborator Author

@mr-tz points out that we should enable these flavors for numbers, too.

@williballenthin
Copy link
Collaborator Author

williballenthin commented Jul 30, 2020
edited

after further consideration, suggest using suffixes /x32 and /x64 to better indicate this is an arch thing, not the width of the value, etc.

williballenthin added a commit that referenced this issue Aug 3, 2020
@williballenthin
rules: add support for arch flavors of Number and Offset features
b81b5e5 
closes #210
@williballenthin williballenthin mentioned this issue Aug 3, 2020
Merged
@williballenthin williballenthin added this to the v1.1.0 milestone Aug 4, 2020
@mr-tz mr-tz mentioned this issue Nov 8, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

rules: add support for arch flavors of Number and Offset features mandiant/capa
1 participant
@williballenthin